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O (54) Title: NETWORK MANAGEMENT SYSTEM 
00 

(57) Abstract: The invention is a network management system that is placed in communication with an existing network. The 
network management system interposes an intemediate advanced intelligence device between the network management system and 
2 the client network. This insertion functions to provide additional security, communication ability and decision-making ability to the 
management of network systems. The network management system combines trending performance management with intrusion de- 
Q tection to develop an event correlation from multiple data sources. Specifically, data is gathered from multiple sources, a correlation 
^ between events and performance data as it relates to security and system optimization, is created, and information is provided to a 
^ monitor at the network management system, with additional information provided to a user at the existing network location. 
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NETWORK MANAGEMENT SYSTEM 

Cross-Reference to Related Applications 

5 None. 

Statement Regarding FederaUy Sponsored Research or Development 

Not Applicable. 

Background of the Invention 

10 1. Field of the Invention 

This invention relates to computer network management systems and, more particularly, 
to a computer network management system that provides understandable information to an end 
user. More specifically, flie invention collects information fix>m a client computer network and 
translates data into an understandable format for display to the end user. In doing so, the 

1 5 invention provides a way to provide secure network management services to third parties. 

2. Related Art 

Currently, computer networks provide information to end users such as network 
administrators in the form of statistical data. For example, a network administrator may obtain 
2 0 reports that provide information such as number of transmitted bytes of information transmitted 
across an interfece, the number of packets transmitted and received over a particular link, the 
number of ports in use. hiterfece in errors, interfece in/out octets, inbound/outbound unicast 
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packets, inboxind/outbound non-imicast packets. This information is simply illustrative of the 
fact that a network administrator has a specific software solution package that provides specific 
statistical information about specific activities occurring on or within a computer network. A 
standard in the industry for collecting such information is SNMP (Simple Network Management 
5 Protocol). HP Openview and Computer Associates Unicenter TNG are two commercially 

available software packages that utilize SNMP to provide this statistical information. 

Similarly, other specific software packages exist to monitor and address other issues. For 
example, security software packages monitor and provide statistical information on security- 
related subjects such as, but not limited to, intrusion detection, system vulnerability, viras 

1 0 detection and policy violation. An example of such a software package commonly available iii 

the industry is sold under the trade name NelRanger Intrusion Detection System. There are 
numerous other software packages for achieving the similar goal of security monitoring which 
are sold under the trade names Real Secure, Nessus, Tcpdump, Ethereal, DsniJBF, SATAN, 
scanlogd, snort, SARA, and logcheck. 

1 5 An example of yet anotibier specific software package is performance management 

software. Examples of products currently available and sold under various trade names include 
Visual Networks Visual Uptime, Iplog, and IPTraf. 

Another example of specific software packages used in Network Management, and 
conmionly available commercially are OpCTiview, IBM Tivoli and Unicenter TNG. 

2 0 Pubhshed reports have revealed that implementation of these software packages has been 

largely unsuccessfiil. Indeed, the GartnerGroup found that one-third of companies that had 
bought their own network management systems had not implemented them within three years of 
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the purchase. See, Adams, Steve, "Performing for the NGN", Telecommunications Memational 
Edition, August 1999. 

In addition, it should be recognized that these software packages are so speciaUzed that it 
requires significant and specialized training to educate a network administrator in the operation 
5 and use of data of each package. For example, information relating to in/out octets must be 

carefully interpreted by a network administrator so that the operation of the specific individual 
network and specific system configuration must be considered. This octet information may be 
widely divergent on different systems but lead to the same conclusion, given the differences of 
specific networks and configurations. More specifically, a network administrator may receive a 
1 0 report showing "5,000 octets". The network administrator must then interpret this data in view 
of: time since last Systran reset, time since last counter cycle and related interfece speed (a 
system running at a gigabit rate versus a system running at a megabit rate). This single example 
of the interpretation of data is illustrative of the challenge facing a network administrator in 
reviewing the reams of data pumped out by each of these specific network software packages. 
15 Accordingly, the job of a network administrator in interpreting all of these extremely specialized 
statistics emanating fi-om these increasingly-specialized software packages is inq)ossible. No one 
person can any longer develop or maintain expertise in each of the software packages available or 
in use. 

Therefore, in recognition of these difficulties, a single network administrator position has 
20 been often spHt into multiple network administrator positions. Each of the new networic 

administrators develops deep expertise in specific software packages. When a problem in the 
network occurs, the multiple network administrators must confer with each ofiier to determine 
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the origin of the problem and jointly agree on a proposed course of action for solving the 
problem. Due to the transactional speed of events occurring over the network, when a problem 
occurs imder this new model of multiple network administrators, any problem must necessarily 
be addressed after the fact, with nothing ranotely approaching a real tune solution. 
5 The specialization of network administrators has also created a new corps of intrusion 

detection network administrators. These network administrators work throughout various 
companies on different networks. However, these administrators confer with each other 
regularly regarding new or unusual network activity. Together, these administrators must share 
enough information in order to determine whether their networks are under attack. However, this 
1 0 sharing of information violates most security poUcies by disseminating detailed information 

regarding network configuration to third parties, thereby further increasing the risk of future 
intrusion. 

This multiple network administrator model leads then to additional problOTi solving 
conferences that quickly overload administrator resources. A catch-22 situation arises. A single 

1 5 network administrator cannot possibly keep up with the expertise required in understanding the 

data from all of the varied specialty software packages. Therefore, a multiple administrator 
model for depth of expertise is required. A multiple administrator model cannot solve problems 
as quickly as a single network administrator which leads to a delay in problem-solving that can 
have catastrophic results. Therefore, the decision-making speed of a single administrator model 

20 is required. 

Thus, the major shortcoming of the current state of the art is the lack of depth in 
functionality. While the ability to provide a simple up/down management service solution is 
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common, the linking of trending perfomiance management with intrasion detection is non- 
existent. In other words, the ability to monitor network activity from the perspective of "event 
correlation" where cause and effect relationships are generated as problems occur is a tool that 
aUows problems to not only be fixed when the occur, but more importantly to be prevented in the 
future by using the collected information productively. 

Currently, there is a need to provide the deplh of expertise existing in a multiple network 
administrator model, to interpret speciaUzed data flows, combined with the decision-making 
speed of a single network administrator model, to identify and solve network problems in near 
real-time. 



Summary of the Invention 
It is in view of the above problems that the present invention was developed. The mvention 
is a network management system that is placed in cormnunication with an existing network that 
uses devices (workstation, server, or other client device) employing sunple network management 
1 5 protocol (SNMP). From these devices, ttie network management system selectively ejctracts data 
relating to trending perfomiance management, security systems, and intrusion detection. 

ASuex extraction, tiie network management system securely transmits this data from the 
existing chent network through the network management system for processing. The secure 
transmission of information occurs between a distributed state machine, otherwise known as an 
2 0 advanced inteUigence device, and a core site. The addition of an advanced intelligence device to 

the network is critical to the ability to provide multiple client networks with secure netwodc 
managem^t services. 
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During data processing, the network management system creates multiple event 
correlations between events and performance data. Then, these correlations are provided to a 
user in the form of a graphical user interface. Specifically, the user obtains infomiation on long 
terai trending, correlated views of critical events happening within a time window relating to a 
5 particular device, and other correlations between performance management, security systems, 

and intrusion detection in order to detect unknown signatures, unknown attack patterns, and other 
useful information. 

Thus, the invention addresses a lack in core functionality of off-the-shelf programs. This 
correlation provides a higher level of network operation awareness within existing customer 

1 0 networks and Information Technology infirastmcture. 

The invention of this network management system permits the use of this system to 
monitor and provide secure service to multiple existing customer networks. This secure service 
is accomplished by the imposition of an advanced intelligence device between the core site and 
the customer site. Until now, any third party monitoring and management has been done witli be 

1 5 third party network manager making a direct connection with the client network. However, if 

multiple clients are comiected to a siagle third party network manager, this configuration opens 
the possibility that one client may obtain records and information firom another client via the 
network. This advanced inteUigence device of the present iavention is placed between any cUent 
and the core. This placement prevents any one client/customer fi*om reaching through the core 

2 0 site to obtain access to a third party client/customer. Each existing customer network will be 

connected to an advanced intelligent device which is located on the customer premises. Each 
advanced inteUigent device is connected to the customer network, and is in communication with 
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a remote site. The advanced intelligent device will run performance collection application 
software to extract data. This data will be transferred to a core network operations center, a 
remote site, where the data will be correlated with other enterprise management events before 
finally being processed for viewing. The network management system uses a specialized security 
5 transport and data transfer mechanism which is scaleable and adapted towards long-term trending 
(as opposed to current solutions). 

A graphical user interface (GUT), or web interface, will provide the customer with a 
customized view of the performance of his or her network together with enterprise correlation. 
The performance management function is granular enough to perform at a specific device level, 
10 but is also able to provide information on a global network level. 

Further features and advantages of the present invention, as well as the structure and 
operation of various embodiments of the presait invention, are described in detaU below wilh 
reference to the accompanying drawings. 

1 5 Brief D^cription of the Drawings 

The accompanying drawings, which are incorporated in and form a part of the specification, 
illustrate the embodiments of the present invention and together with the description, serve to 
^plain the principles of the invention. In the drawings: 

Figure 1 illustrates a block diagram of the management system of the present invention 
20 which is in communication with an existing network; 

Figure 2 illustrates a detail view of block 2-2 in Figure 1 ; and 

Figure 3 is a block diagram illustrating the dataflow of the agent configuration of the 
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present invention. 

Figure 4 is a block diagram of an intrusion detection system (IDS) ; 

Figure 5 is a block diagram of dataflow relating to trend performance collection; 

Figure 6 is a block diagram of dataflow relating to a graphical user inter&ce.; 
5 Figure 7 is a block diagram of dataflow relating to a correlating events; 

Figure 8 is a view of a Map for display by the client machine of the present invention; 

Figure 9 is a view of a Site for display by the client machine of the present invention; 

Figure 10 is a view of a Host Detail for display by the client machine of tiie present 
invention; 

1 0 Figure 11 is a view of Router information for display by the client machine of the present 

invention; 

Figure 12 is a view of a tree for display by the client machine of the present invention; 
Figure 13 is a view of utilization for display by the client machine of the present invOTtioI^ 
Figure 14 is a view of exceptions for display by the cUent machines of the present invention; 
1 5 Figure 15 is a view of intrusion detection for display by the client machines of the present 

invention; 

Figure 16 is a view of correlation for display by the client machines of the present 
invention; 

Figure 17 is a view of reports that are available and can be retrieved for display by the client 
2 0 machines; and 

Figure 18 is a view of tiie display used by the cUent machine in order to adjust the settings 
for obtaining inforaiatiorL 
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Detailed Description of the Preferred Embodiments 
Referring to the accompanying drawings in which like reference numbers indicate like 
elemrats. Figure 1 illustrates the network management system 20 of the present invention. 
5 Network management system 20 comprises advanced intelHgence device 32, linked via first 
encryption/transmission device 34, second encryption/transmission device 36, transaction processor 
38, and common media 40 to remote site 42. 

Advanced Intelligence Device 
Lo Advanced intelligence device 32 comprises first interfece card (ICl) 44, first data loader 

module (DLM) 46, second DIM 48, third DLM 50, configuration module 52, advance artificial 
intelligence module 54, security module 56, data correlation module 58, transmission control 
module 60, local database 62, and second interface card (1C2) 64. 

First interface card 44 is used to transfer the data requests and receive the data responses 
1 5 from the managed devices. First interface card 44 comiects to first common media 40 that client 

managed devices, shown generally at 66, are attached to. CUent managed devices 64 may 
include data communications equipment 68, servers 70, workstations 72, and security devices 74. 

Advanced inteUigence device 32 is connected to the client's existing network via first 
common media 40 (and first interface card 44) on the client's premises. First common media 40 
20 is preferably an ethemet system. 

Each of the data loader modules (DLM), first data loader module 46, second data loader 
module 48, and third data loader module 50, respectively, are derived firom remotely located 

9 
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main database 100. Each DLM 46 ~ 50 is responsible for loading data from the remote system 
96 into the local database 62. Each of the DLMs 46-50, respectively is delivered to local 
database 62 for faster processing. The function of a DLM, 46-50, respectively, is to instruct the 
transmission control module 60 on what types of data to retrieve from a managed device 66. 
5 Each DLM 46-50 also contains ioformation about the method for obtaining that inforaiation. For 

example, first DLM 46 monitors wide area network link performance. First DLM 46 is also 
responsible for storing a mathematical formula to make usefiil data out of the collected statistics. 
After first DLM 46 modifies data using the stored mathematical formula, the modified data is 
loaded into local database 62. 

1 0 Main database 100 is the source for the information in configuration module (CM) 52, 

Once loaded with information from main database 100, configuration module 52 refreshes local 
database 62 with periodic updates. Configuration module 52 is designed to configure remote 
system agents, shown generally at 96, such as operating system agents, shown generally at 98. 
Operating system agents 98 contain information about a variety of performance characteristics 

1 5 such as percent processor utilization and available memory. . Configuration module 52 uses 

transmission control module 60 to conmiunicate with the appropriate interface card 44, 64. 
Through the transmission of this data, a remote agent 96 receives configuration updates. 

Advance Artificial InteUigence Module (AAIM) 54 reads the data being collected by the 
DLM*s 46-50 and the correlated data provided by DCM 58 fit)m the local database. AAIM 54 

20 is initially retrieved from the remote, main database 1 00. AAIM 54 provides probability and 

statistical information about overall system events. These events can contain security, 
performance, and error conditions. AAIM 54 looks for patterns and over time begins to recognize 
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network problem sources. AAIM 54 can be automaticaUy updated by the Global Advanced 
Correlation Module 104. After creating statistical information about above data, AAIM 54 loads 
its information into the local database 62 for future comparisons, hi addition, correlation 
module 58 polls AAIM 54 for instructions. Then, correlation module 58 proceeds as is set 
forward in greater detail below. 

Before any communication gets passed to transmission control module (TCM) 60 it must 
first be processed by security module 56. This module 56 provides authentication and 
authorization information about what information is allowed to be transferred. It also provides 
secure access to the local database 62, 

The local database 62 stores information about agent configuration, cheat graphical user 
mterfece (GUT) mformation, data loader module 46 - 50, AAIM 54, transaction control module 
60, and correlation module 58. Local database 62 also acts as a system proxy agent for remote 
long-term trending data retrieval fix>m the remote database 100. 

TCM 60 is responsible for directing traffic to or receiving traffic from the given 
interfaces. It also contams detailed knowledge about what methods it is to be using to collect the 
information. Each method has requirement that must be met prior to sending data to an 
interfece. In this way TCM 60 ensures that the information transmitted is m syntax. 

Thus, it can be seen that the advanced intelhgent device 32 is connected to the customer 
network and is in communication with a remote site. The advanced intelhgent device 32 runs 
performance collection appUcation software to extract data. 

Once the data is extracted, which is in standard SNMP format, it is communicated via 
first mterface card 44 to transaction control module 60, as seen m Fig. 2. The transaction control 
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module 60 sends the data to first data loader module 46. 

Meanwhile, first data loader module 46 has communicated with local database 62 to store 
configuration information into memory such as the DLM name, DIM variables, DLM method, 
the calculation fomiula, the data loading information, the variance, etc. Using the stored values 
5 in memory, first data loader module 46 converts the incoming data fi-om the transaction control 

module 60 into variables, and applies the formulas resident within the data loader module 46. 

First data loader module 46 transmits the results to local database 62 where it is stored, as 
well as to transaction control module 60. Transaction control modide 60 performs a look up to 
detennine the fomiat needed for data transmission, preferably wire data transmission. Once the 
1 0 format is known, transaction control module 60 is placed in communication with the appropriate 

apis and then sends the data to the appropriate interface. 

The data loader modules 46-50 are implemented by using blocks of software code. The 
code is loaded (or initiated) by local client database 62. 

1 5 Secure Transmission of Data from Advanced Intelligence Device 

Second interfiace card 64 provides a link to first encryption/transmission device 
(TCM/ENC) 34. Second interface card 64 attaches to second common media 84 for main 
database 100. 

FEC/TMD 34 is preferably a router. This device 34 encrypts the data stream and 
2 0 transports it across a common network with the receiving second encryption/transmission device 

(SEC/TMD 36). SEC/TMD 36 is preferably a virtual private network terminator. This 
encryption allows data to be securely passed between remote database 100 and local database 62 

12 



BNSDOCID: <WO ^022380eA2J_> 



wo 02/23808 



PCTAJSOl/28628 



over pubUc networks such as the Internet. Thus, the network management system of the present 
invention uses a specialized security transport and data transfer mechanism. In addition, these 
mechanisms are scaleable and sdaptsd towards long-term trending. 

5 Remote Site 

Second Common Media 84 allows communication between all devices at the central 

location. Preferably, second common media is an ethemet system. 

Remote site 42 comprises remote system agents, shown generally at 96, operating system 

agents shown generally at 98. 
1 0 Remote main database 1 00 stores long temi trending information about customer 

networks. Remote main database 100 also provides information for configuration module 52, 
data loader modules 46-50, transmission control module 60, AAIM 54, cUent GUI information, 
and client events. 

Global security manager (GSM) 102 reviews security and intrusion patterns across 
1 5 company boundaries. This module more rapidly deteraiines patterns and common attacks across 
the customer base and initiates alerts to the network security module (NSM) 108. 

Advanced correlation module (ACM) 104 provides long-temi correlation data 
information. It looks for patterns and trends that have occurred over longer periods of time and 
seeks to identify future problems. 
2 0 Network configuration module (NCM) 106 provides a way to configure system agents for 

remote clients. 

Network Security Monitor (NSM) 108. This device is monitored by staff to begin to 
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detect real-time attacks on customer networks. 

Network management module (NMM) 1 1 0 performs the function of . . . 



Advanced Intelligence Device 

' 5 Once information is provided from remote site 42 to second interface card 64 of advanced 

intelligence device 32, the information is SCTit to transmission control module 60. Upon receipt 
of the information, transmission control module 60 performs a look up to determine the format 
needed for data transmission, preferably wire data transmission. Once the format is known, 
transaction control module 60 in placed in communication with the appropriate application 

1 0 program interfaces and then sends the data to the appropriate interface. 



Operation of the System 

Figure 3 provides diagram of an agent configuration data flow; Figure 4 provides a 
diagram of an IDS collection data flow; Figure 5 provides a diagram of a trend performance 
15 collection data flow; and Figure 6 provides a diagram of a client graphical user int^ace data 

flow. These Figures are referred to during the discussion of the operation of the system as set 
forth below. 

As shown in Figure 3, path 120 is euCTgized when an administrator at an administrator 
console 122, which is located at a core network operations center, opens and connects to the 
2 0 client database, located within main database 100. Console 122 displays the current agent 

configuration information to the administrator. Next, the administrator makes changes to the 
agent configuration and database 100, which is updated with log and configuration information 
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according to path 124. Database 100 confirms the change and repUcates the change to local 
cUent database 62, via the transaction coordinator 76, through path 126. Transaction coordinator 
76 ensures fliat the data repUcation withm local client database 62 is successfiil and transmits the 
data to local cUent database 62 when a stable network connection is detected, as shown in path 
128. 

Next, data is encrypted by second encryption/traiismission device 36 and transferred 
across a wide area network, such as the Intemet. through path 130. This transmitted data is 
received by first encryption/transmission device 34. The data is then transferred along path 132 
to second interface card 64. It should be noted that the encryption at first encryption/ 
transmission device preferably occurs on site at the cUent location. Second interfece card 64 
passes the received data to the transaction control module 60, along path 134. 

The transaction control module 60 processes the data, and formats the data in preparation 
for the agent update. Transaction control module 60 ttien prepares an information package for 
updating into local cUent database 62. For security purposes, this formatted information is first 
sent to security module 56 for logging along path 136. After the information passes through 
security module 56, the data is replicated to a local cUent database 62 via path 138. 

Configuration module 52 is continually polling local client database 62 for agent changes 
using path 140. Upon detection of the repUcated data, configuration module 52 retrieves the new 
values fixjm local client database 62 along path 142. Configuration module 52 then processes the 
change in agent configuration, in accordance with the agent configuration dataflow shown in 
Figure 3, and ti^insfers this information to security module 56 for logging, along path 144. After 
logging, security module 56 passes information along path 146 to transaction control module 60 
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for processing. 

Transaction control module 60 sets up a transmission control protocol ("TCP") 
communication listener and transmits the newly-formatted request along path 148 to first 
interface card 44, which itself transmits the infomiation to the remote operating system agent 88, 
along path 150. After receipt of the change request, remote operating system agent 88 processes 
the commands, executes a warm restart, and provides acknowledgment of the successful 
application of the commands. Such acknowledgment is provided along path 152 to first interface 
card 44. Acknowledgment is then passed by first interface card 44 to transaction control module 
60, along path 154. Upon receipt of the acknowledgment, transaction control module 60 checks 
and determines whether a timeout has been reached. If the timeout has not been triggered, 
transaction control module 60 passes acknowledgment data to security module 56 along path 156 
for logging. If the timeout has been triggered, the data is simply discarded, and the process for 
retrieving data restarts. 

Security module 56 passes the acknowledgment data to configuration module 52 along 
path 158. Configuration module 52 uses path 160 to update local client database 62 with the 
acknowledgment. Local chent database 62 repUcates the data and provides information on this 
event through path 162 to security module 56. 

Security modvde 56 passes the data repUcation to transaction control module 60 along 
path 164 for transmission. Transaction control module 60 passes the database repUcation 
information via path 166 to second interface card 64 for wide-area network/Internet transmission. 
Second interface card 64 passes information along path 168 to first encryption/transmission 
device 34, preferably a router. 
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First encryption/transmission device encrypts the data replication transaction, and sends 
the information along path 170, to second encryption/transmission device 36. Second 
encryption/transmission device decrypts the information, and passes this information along path 
172 to transaction coordinator 76. 
5 The transaction coordinator 76 passes the data repHcation information along path 174 to 

main database 100, to complete the final phase of agent configuration. Accordingly, this 
concludes one complete cycle of a change in agent configuration, firom a data flow perspective. 

To provide a more specific example of agent configuration, assume that a customer is 
monitoring server A (not shown) being monitored. The server, by default setting, sends out a 
1 0 utilization warning alert at a seventy percent (70%) utilization level, and a critical alert at a 

ninety percent (90%) utihzation level. The customer decides that it would like a warning 
notification when the processor reaches sixty percent (60%) and would like a critical alert when 
the processor reaches a seventy-five percent (75%) utilization level. Based upon this desire to 
change the agent configuration parameters, the customer requests that the desired change be 
1 5 implemented. The change is input into an administration console and thus is input into main 

database 100. Upon receipt of this update, the data is repUcated to local cUent database 62, in 
accordance with the transmission procedures discussed above. Configuration module 52 watches 
for changes in the data repUcated to local cUent database 62. Upon recognition of the change in 
data, configuration module 52 coimnunicates in accordance with the procedures set forth above 
2 0 through transaction control module 60 to client managed devices 66, and in this case, client 

server 70. Client server 70 receives ttie updated configuration information, updates its 
configuration, and restarts itself (reinitializes in Random Access Memory). Then, cUent server 
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70 replies to configuration module 52, in accordance with the procedures set forth above, that the 
change was successfully implemented. Configuration module 52 then communicates with local 
client database 62 and updates local cUent database 62. Next, this data is repHcated to main 
database 100, in accordance with the procedures set forth above. 
5 Figure 4 provides a data flow path diagram illustrating IDS collection. Cisco Netranger 

(recently renamed to Cisco Secure Intrusion Detection System) sensor 90 sends the event 
information along path 180 to first interface card 44. First interface card 44 sends the received 
data to transaction control module 60 using path 182. Transaction control module 60 also passes 
the improcessed data along path 184 to security module 56 for logging. Secmity module 56 logs 

10 flie event and sends confirmation of the logging to the transaction control module 60 along path 

186. Transaction control module 60 sends the processed data to second interface card 64 using 
path 188 for transmission. 

Data loader module 46 expects to receive information in a specific format to facilitate tibe 
calculation and manipulation of the data such as, for example, in calculations. Because the data 

1 5 sent by tiie client network is in an incorrect format, data loader module 46 is unable to process 

the raw data. Thus, one purpose for the placement of the transaction control module 60 between 
the data loader module 4 and the client network is to permit transaction control modiile 60 to 
process the received data by specifically fomiatting the data for the data loader module 46. In 
this way, properly formatted data is provided to data loader module 46, and data loader module 

20 46 is able to apply the formulas it is required to execute. 

Second interface card 64 uses path 190 to send the data to first enciyption/transniission 
device 34 for transmission. First transmission encryption device encrypts the data and transmits 
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it across a wide area network path 192 to second transmission encryption device 36. Receiving 
and second transmission/encryption device 36 decrypts the data and forwards it using path 194 to 
Netranger director system 92. Netranger director system 92 uses path 196 to update mam 
database 100 with event data. 

As is evident from the data flow diagram in Figures 3, 4 and 5, all data flows are logged 
through the security module 56. The security module logs date, time, initiating module, 
receiving module, and a short description of the event. The actual data passed through security 
module 56 is not retained in memory under normal settings, to avoid memory capacity issues. 
However, it is possible to reset the logging parameters to include a complete c^ture of the data 
flow, which could be especially helpful in troubleshooting. 

Figure 5 illustrates a data flow diagram detailing the collection of tirend perforaiance 
information. First data loader module 46 is loaded into memory from local client database 62 
usmg path 200. Data loader module 46 initiates the set up of data collection services. 
Information on the data to be collected is passed along patii 202 to security module 56 for 
logging. After logging, information on the data to be collected is passed along path 204 to 
transaction control module 60. 

Upon receipt of the information on the data to be collected, transaction control module 60 
determines what service data extraction to initiate. In addition, transaction control module 60 
sets up a Ustener for incoming SYSLOG information from firewall 95. Once this detemiination 
is made, a stmctured packet of information is created by firewall 95. Next, transaction control 
module 60 uses patii 206 to send the now stmctiired packet of information to first interfece card 
44 for transmission on the cUent network, first common media 40. 
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First interface card 44 then uses path 208 and path 210 to poll router 93 and server 94, 
respectively. The polling process occurs on scheduled intervals. The polling process is a 
standard SNMP get-next request The polling is initiated by transaction control module 60. 

Path 212 is an example of a SYSLOG feed. SYSLOG information is regularly 
5 transmitted from firewall 95 through path 212 to first interface card 44, and then through path 

214 to transaction control module 60 which has set up a hstener for the incoming information. 

At the same time that the SYSLOG operations, router 93 repUes to the SNMP poll by 
transmitting data in standard SNMP format via path 216 to first interface card 44, and then 
through path 214 to transaction control module 60. Similarly, server 94 repUes to the SNMP poll 
10 by transmitting data in standard SNMP format via path 21 8 to fibrst interface card 44, and then 

through path 214 to transaction control module 60. Therefore, even though the data collection 
protocols are completely unrelated, both SYSLOG and SNMP data protocols are being received 
and processed by transaction control module 60. 

Transaction control module 60 converts the format of the data received to a variable name 
15 and/or variable value. For example, the data could be received in an SNMP or a SYSLOG 

format. Both data formats are converted to variable name and/or variable value formats. Then 
transaction control module 60 uses path 220 to pass the converted data format to security module 
56 for logging. Security module 56 logs the data and passes the information to data loader 
module 46 using path 222. 
2 0 Data loader module 46 processes the information. Specifically, data loader module 46 

checks and determines whether all of the information received is required and correct. In 
addition, data loader module 46 appUes the formula for consolidation and loads this information 
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using path 224 into local client database 62. 

Local client database 62 begins replicating the information received from data loader 
module 46. Once the repUcation process is initiated, local client database 62 xises path 228 to 
initiate a request to security module 56 for logging. Security module 56 logs the replication 
information and passes it through path 230 to transaction control module 60 for transmission to 
main database 100. To accomplish this, transaction control module 60 directs over path 232 the 
replication parameter information to second interface card 64. Second interface card 64 sends 
data over path 234 to first encryption/transmission device 34 where the replication parameter 
information is packetized and encrypted for transmission across a wide area network 236 such as 
the internet. 

Upon receipt of the encrypted transmission, second encryption/transmission device 36 
decrypts the replication parameter information and passes it using path 238 to transaction 
processor 76. Transaction processor 76 unpacketizes the information and loads the data via path 
240 into main database 1 00. At this point, the replication process which began with local chent 
db b2 is complete. 

The interaction between DLM 46 and transaction control module 60 is best illustrated in 
the following example. A customer would like to view the utilization information of the 
Ethemet port of his or her routers. Thus, data loader module 46 mxist be directed to Received 
LAN Utilization. In this case, the following information is placed in a block of code: 

DLM Name: Received LAN Utilization (lOmb Full 
duplex Ethernet) 

DLM Variables : 5 

DLiM Method: SNMPv2 Get -Next 
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Formula: Utilization = Delta (If InUcastpkts + 
If InNUcastpkts+If inErrors) * 16 + Delta (If inOctets) * . 8 

Delta 

(sysUptime/100) *10, 000 
5 Hostl Name: Serverl 

Hostl IP address: 10.1.50.1 
Method Var: 1 
Interval: 300 

10 Host2 Name: Server2 

Host2 IP Address: 10.1.50.2 
Method Var: 2 
Interval: 3 00 

15 Variablel: If inUcastPkts 

Valuel : 

Variable2 : If InNUcastpkts 
Value 2 : 

Variables : If inErrors 
20 Values : 

Variable4 : If inOctets 
Value4 : 

Variable5 : sysUptime 
Values : 

25 DataLoading_Procedure : SQL_Load Script 

Temp_storage Procedure: SQL_Working Script 

As is evident, the DLM 46 has very specific infonnation needs. DLM 46 cannot process 
raw data that is in SNMP format. As explaiaed above, DLM 46 sends a request for data to the 

3 0 transaction control module 60 based on these needs. The request for data is a variable/value 

request (i.e. ifinucas^kts, ifinnucastpkts, etc.) and an SNMP method is specified (here SNMP 
version 2) for how to get this information from the client network. This information is sent to 
transaction control module 60. Transaction control module 60 first looks at the method and 
determines that this is an SNMPv2 Get-next method. 

3 5 Based on its knowledge of the SNMP protocol, transaction control module 60 prepares an 

SNMP request for flie variables identified and sends it to the named host on Ihe cUent network. 
(In this case 10.1.50.2). Thus, transaction control module 60 determines the object identifiers 
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associated with the fonnula used by DIM 46 as set forth below. 

Standard OIDs associated with this formula: 

OID for Formulas 

SysUptime .1,3.6.1.2.1.1.3 
If InOctets 1.3.6.1.2.1.2.2.1.10. instance 

If InUcastPkts .1.3. 6. 1.2. 1.2. 2.1. 11. instance 
If InNUcastPkt s .1.3.6.1.2.1.2.2.1.12. instance 
If inErrors .1.3. 6. 1.2. 1.2. 2.1. 14. instance 

It is recognized that IflnOctets and the other terms directly above are well known in Ihe art 
according to SNMP standards. 

Received Utilization = » ,^ 

[Delta ( If inUcastPkts+IfinNUcastPkts+if InErrors) * 16 + 

Delta (If inOctets) * .8 ] divided by 

[Delta (sysUptime/100) * 10,000] 

The Received Utilization formula is well known, and is used in order to make the units work 
properly. Thus, the multipUer of 16 is due to the fact that the octets are being converted to bytes, 
and that there is a packet delay factor. 

The transaction control module 60 request that has been translated to account for the 
DIM 46 request, the specified method, and the identification of information, goes to the SNMP 
agent of router 93. The SNMP ageait of router 93 performs standard SNMP data coUection 
techniques and then ends the reply back to transaction control module 60 through the first 
interfece card 44. Upon receipt of the reply transaction control module 60 examines that 
sysuptime, ffinUcastPkts, HMSTUcastplcts, IfinErrors , and IfinOctets have valid values. The 
TCM then prepares a r^ly to the initiating DLM in the format of variable/value: 
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(sysuptime, 61781915, if InUcastPkts, 309698, if InOctets, 249595928, if I 

nUcas 

tPkts, 309698, if InNUcastPkts, 0, if InErrors, 143126) 

5 

Thxis, DIM 46 receives only the data that it has requested and processes the information 
according to the formula, while transaction control module 60 eliminates problems associated 
with translation of variables and standards. 

DLM 46 now uses the temp storage procedure to temporarily store this data in local 

1 0 database, this is done so a delta can be computed. Upon receipt of a second reply from 

transaction control module 60, data loader module 46 appUes the fomiula and loads the result 
into local client database 62. This process continues with transaction control module 60 making 
the request to router 93 at the required time interval. 

As the example above covered only Received LAN Utilization, it is fully contemplated by 

15 the present invention that many different data loader modules 46-50 may be employed, and the 

invention is not limited to any particular niraiber of data loader modules. For example, a Sent 
LAN Utilization may be employed. Other subjects for data loader module coverage include the 
handling of various alerts and warnings, and any other performance data. It is specifically noted 
that the data loader modules of the present invention are not limited to the use of SNMP 

2 0 methods. This lack of limitation is because most, if not all, customers will have a firewall. 

Firewalls generally have business rules that allow or deny trafSc originating outside the network 
from entering into the network. By and large, firewall vendors have picked SYSLOG (not 
SNMP) as the method to notify management systems of policy violations and system status. To 
handle this firewall notification, a SYSLOG data loader module is created. This data loader 

2 5 module informs the transaction control module 60 to set up a user datagram protocol (UDP) 
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listener on port 514. Additional infonnation regarding the UDP is available on the Intemet at 
http://www.cis.ohio-state.edu/rfc/rfc0768.txt. As is evident in this standard, infonnation 
generated by the S YSLOG method is largely a textual description with severity and source 
information. Because UDP is a connectionless protocol, SYSLOG messages are only sent to the 
listener. Accordingly, no confirmation ofreceiptofdata is returned to the jHrewall. TheUstener, 
transaction control module 60, forwards the received infonnation to the SYSLOG data loader 
module where the information is processed and then loaded into the local database in accordance 
with the communication procedures set forth above. Typical data that is delivered firom a firewall 
is well known in the art and can be found on the Intemet at the following location: 
http://www,sisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_v52/syslo^^ 

In addition to SNMP and SYSLOG, other network data collection methods include, but 
are not lurdted to. Common Information Method ("CM"), Web Based Enterprise Management 
("WBEM"), Desktop Management Interface ("DMI"). 

Figure 6 is a data flow diagram depicting the operation of the client's graphic user 
interface. Client machine with Java shell 67 initiates a connection 250 to network management 
system 20 by coromunicatrng with fibrst interface card 44. First interface card 44 receives a 
request for access and passes it to transaction control module 60 via path 252. Transaction 
control module 60 receives the request, and uses path 254 to forward the request for access to 
secmity module 56. 

Security modide 56 prepares a challenge for user identification information and forwards 
the challenge via path 256 to transaction control module 60 for transmission to client machine 67 
via path 258 to first interface card 44 and path 260 to chent machine 67. 
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Client machine 67 then responds with a challenge phrase answer transmitted via path 262 
to first interface card 44 and thence via path 264 to transaction control module 60. Transaction 
control module 60 receives the challenge answer and passes it along path 266 to security module 
56 for logging and verification. Upon the verification of the user identification, security module 
5 56 permits access to graphical user interface module 69 via path 268. Graphical user interface 

module 69 uses path 270 to retrieve objects from local cUent database 62. Local client database 
62 retrieves the user interface objects and sends them along path 272 to graphical user interface 
module 69 for transmission to the client machine 67. 

There are a variety of user interface objects that may be requested. Depending on the user 

1 0 interface object requested, information is retrieved and sent along dififering paths. Specifically, if 

the user has requested trend, intrusion detection system ('IDS") or event information, the local 
client database 62 must obtain this information fi*om main database 100. To do tiiis, local client 
database 62 uses path 274 to pass the request for information to transaction control module 60. 
Transaction control module 60 uses path 276 to utilize second interface card 64 to transmit along 

1 5 path 278 the request to first encryption/transmission device 34. The request is encrypted by first 

encryption/transmission device 34 and transmitted along pubUc network path 280 to second 
encryption/transmission device 36. Second encryption/transmission device 36 decrypts the 
request and sends the request along path 282 to transaction processor 76. Transaction processor 
76 uses path 284 to transmit the request to main database 100. 

2 0 Main database 100 processes the request, retrieves the requested information, and sends 

the requested data out along path 286 to transaction processor 76 which itself forwards the data 
to second encryption/transmission device 36 along path 288. Second encryption/transmission 
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device 36 encrypts the data and transmits the data over public network path 290 to first 
encryption/transmission device 34. First encryption/transmission device 34 decrypts the data and 
sends the decrypted data along path 292 to second interface card 64. Second interface card 64 
uses path 294 to transmit tiie data to transaction control module 60. Transaction control module 
5 60 converts the data and sends it along path 296 to security module 56. Security module 56 logs 

receipt of the data and forwards the data to graphical user interfece module 69 along path 298. 

At this point, graphical user interface module 69 processes this data and prepares the data 
for delivery to client machme 67. Specifically, graphical user interface module 69 uses path 300 
to transmit information to security module 56, which logs the data and uses path 302 to forward 

1 0 the data to transaction control module 60. Transaction control module 60 sends the data along 

path 304 to first interface card 44, which transmits the data across Transmission Control Protocol 
("TCP") connection 306. This concludes the data flow paths which take place when a user 
requests trend, IDS, event data or any data residing at main database 100. 

If the user has not requested trend, IDS, event data, or any data residing at main database 

1 5 100, graphical user mterface module 69 passes objects along path 308 to security module 56 for 

logging. Security module 56 logs and passes objects to transaction control module 60 via path 
310. Transaction control module 60 packetizes the data objects and transmits these packets 
along path 3 12 to first interface card 44. First interface card 44 transmits these packets to client 
machine 67 along path 314. At this point, a constant connection is established between first 

2 0 interface card 44 and cUent machine with Java shell 67, as a user navigates the interface. 

Requests by the user for relevant data are soat over this path 3 14 to graphical user mterface 
module 69. In addition, as network information is generated, graphical user interface module 69 
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sends updated information to the client display located at client machine 67 via path 308. 

Tiumng to Figure 7, an explanation of the operation of correlation module 58 will 
commence. Trend performance is stored in local client database 62, in accordance with the trend 
performance collection procedures discussed with respect to Figure S. In addition, the alert, 
5 event and performance information produced pursuant to the trend performance data capture is 

sent to correlation module 58. Intrusion detection information is provided to main database 100 
in accordance with the intrusion detection procedures set forth in association with Figure 4. The 
intrusion detection infomiation is also provided to correlation module 58. Accordingly, 
correlation module 58 has access to intrusion detection information, perfonnance information 
1 0 and alert information. Correlation module 58 receives instructions from AAIM 54 (in 

accordance with the transmission procedures used throughout these examples) on how to 
correlate information. Correlation module 58 then applies these instructions to the data to 
calculate and determine correlations. 

Correlations may take different forms. One correlation is the correlation of a 
1 5 performance spike on interface utilization combined with an intrusion detection alert. These two 
events may be correlated to prompt an alert message from correlation module 58 of a potential or 
actual hacking attack, depending on tiie strength of the correlation. 

Another correlation to be performed by correlation module 58 is between a peak on 
central processing unit utilization with a low memory warning, coupled with an application 
2 0 failure. These events may also trigger an alert from correlation module 58. 

Yet another correlation could be performed by correlation module 58 on a peak on central 
processing unit utiUzation without a low memory warning, coupled with an appUcation failure. 
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These events may also trigger an alert from correlation module 58. 

It is the intention of the present invention that correlation module 58 derive its correlation 
function from AAIM 54. Specifically, it is the intention of the present invention to derive a 
benefit from sa-ving multiple cUent networks. Across multiple client networks, performance, 
5 event and intrusion data may be correlated using advanced correlation module 104 to provide 

long-term correlation data information. Advanced correlation module 104 looks for patterns and 
trends that have occurred over longer periods of time and seeks to identify future problems. Once 
trends or problems are identified, modification to configuration module 58 instructions are stored 
in main database 100. Because correlation module 58 regularly polls AAIM 54 for new 

10 information, in accordance with the communication procedures set forth above, configuration 

module 58 will receive the updated instructions rapidly. 

It is emphasized that the present invention provides a superior, secure means of providing 
service to multiple cUent networks. In the past, network service providers would simply connect 
directly to the client network. This direct connection creates security issues where multiple 

1 5 clients are involved. This is because one cUent may reach a different client by using the service 

provider as a switch. The present invention eliminates this danger by interposing an advanced 
intelligence device 32 to serve as a bufiGer between any cUent network and the service provider. 
Further, the additional security also enhances the ability of the service provider to extract 
p^ormance and intrusion detection information securely, confidentially and anonymously, while 

2 0 sharing the benefits of the experiences across multiple chent networks with all client networks. 

We now turn to Figures 8-18. These figures reflect the appearance of graphical user 
interface (chent machine with Java shell) 67. As is illustrated in the different interface screens 
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provided in these Figures, an iconic and instinctive approach for providing network-related 
information to the client has been taken. On the left side of each screen, an index of eight screen 
areas is provided. Figure 8 illustrates the result when the "map" button on the left side is clicked 
with a mouse. If the firewall icon is clicked, a filter is ^plied to the bottom portion of the screen 
5 display. It is noted that intrusion detection, firewall, and DMZ icons require security administrator 

privileges prior to the provision of a filter. The headquarters icon changes color based on the status 
of objects. The link between headquarters and the Miami location is animated and changes color 
based upon predefined variations. For example, a critical link capacity will change the link color to 
red. Adjacent the link, there is also provided a Current versus Trend View allows an easy wide area 
1 0 network overview, which is iq>dated over regular intervals, such as five minute intervals. 

Double clicking on an icon object explodes the object into a detailed site view. Clicking 
anywhere in the background applies a g^eral filter. An overview of events occurring throughout 
the network fi-om traps and events generated by agents is also provided. 

. Similarly, with respect to Figure 9, the same principles set forth in the e^lanation of Figure 
15 8 are similarly reproduced with respect to Figures 9-18. With respect to Figure 9, specifically, and 

Ethernet Bar is provided which is static and is not anintiated. However, each server link attached to 
the Ethernet Bart is animated and changes color based upon status and utilization levels. 

With respect to Figure 10, double choking on the memory icon brings up a hsting of top ten 
(10) memory-utilizing system processes. 
2 0 Figure 1 1 provides information on data derived &om trend performance collection data, as 

discussed above in association with Figure 5. 

In Figure 12, cUcking on Tree items, fiilters, the list to the right of the Tree item. The Tree 
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leaves change color based upon the status of the items included below each leaf. 

Figure 13 provides the user with displays that provide sxraimaries of utiUzation, Again, 
cUcking on any icon will provide more detailed mfonnation, as discussed in connection with the 
e?qploded object concept in Figure 8. 

Figure 15 displays various sensors which are categorized as either private or pubUc. Pubhc 
sensors are typically internet-positioned sensors. Private sensors are typically sensors which are 
accessed by cUents. 

Figure 16 illustrates the user interface when it is displaying the results of the operation of 
correlation modules, 58 and 104. 

Figure 17 illustrates various rq)orts which may be selected for fuifher details. 

Figure 18 illustrates the means for changing agent configuration settings. Once changes in 
agent configurations are requested, the agent configuration is changed, as discussed in greater detail 
and the discussion accompanying Figure 3. 

In view of the foregoing, it will be seen that the several advantages of the invention are 
achieved and attained. 

The embodiments were chosen and described in order to best explain the principles of the 
invention and its practical apphcation to thereby enable others skilled in the art to best utilize the 
invention in various embodiments and with various modifications as are suited to the particular use 
contemplated. 

As various modifications could be made in the constructions and methods herein described 
and illustrated without departing from the scope of the invention, it is intended that all matter 
contained in the foregoing description or shown in the accompanying drawings shall be intapreted 
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as illustrative rather than liiniting. For example, advanced intelligence device 32 may be located off 
customer premises, but may still be in communication with the client's existing network and 
extracting data therefix>m. In another example, first and second interfece cards, 44 and 64 
respectively, are communications interfaces, and are not limited to any particular "card*' structure or 
geometry. Thus, the breadth and scope of the present invention should not be limited by any of the 
above-described exemplary embodiments, but should be defined only in accordance with the 
following claims 25)pended hereto and their equivalents. 
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WItat is Claimed Is: 

1 . A method of managing a network comprising: 

connecting an advanced intelligence device to an existing network; 

connecting a network operations center to said advanced intelligence device; 

providing an advanced intelligence device with a plurality of data load^ modules, a 
configuration module, an advance artificial intelligence module, a correlation module, a security 
module, a transmission control module, a first interface for communicating with the existing 
network, a second interface for communicating with said network operations center; 

providing said network operations center with a main database, a global security modiile, 
an advanced correlation module, a network configuration module, and a network security 
monitor 

wherein said network operations center is connected to said advanced inteUigence device 
via a transaction processor and a router; 

using said advanced intelligence device to extract performance data firom the existing 
network; and 

processing the data in at least one of said advanced intelligence device and said network 
operations center by correlating the data to identify potential network attacks. 

2. A method of managing a network according to claim 1, further comprising: 

using said network operations center to control the extraction of data firom the existing 
network by said advanced intelligence device. 
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3. A method of managing a network according to claim 1, further comprising: 

using said security module to log data transfers between said modules disposed within 
said advanced intelligence device. 

5 .4. A method of managing a network according to claim 1, further comprismg: 

using said security module to log data coming into said advanced mteUigence device. 

5. A method of managing a network according to claim 1, further comprising: 

using said security module to log data going out of said advanced intelligence device. 

10 

6. An advanced inteUigence device comprising: 

a local database for storing information about agent configuration, 

a data loader module in communication with said local database; 

an advanced artificial intelligence module in communication with said local database; 
15 a correlation module in commxmication with said advanced artificial intelligence module; 

a security module in conamunication with said data loader module; 

a transmission control module in communication with said security module; 

a correlation module hi commumcation with said local database; 

a transmission control module in communication with said security module; 
20 a first interface card in communication with said transmission control module, said first 

interface being adapted to communicate with the existing network to transmit and receive data; 

a second interface card in communication with said transmission control module; 
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wherein said local database stores software code for accessing by said data loader 
module, and wherein said data loader module transmits a request for information that is passed 
through said security module to said transmission control module and said data loader module 
receives the requested information from said transmission control module through said security 
5 module; 

wherein said transmission control modiile processes requests for information from said 
data loader module, creates and transmits a request for information througji said first interface 
device, and receives and processes the requested information prior to transmittal of the { 
information to said data load^ module. 

10 

7. A method of operating a data load^ module comprising the steps of: 

storing mathematical formulas for calculating and creatiag useful data from the collected 

data; 

instructing a transmission control module on what types of data to retrieve from a 
1 5 UGLanaged device; 

providing instructions to said transmission control module on how to obtain that data; 
receiving data from said transmission control module; 

modifying the data in accordance with the stored mathematical formulas; and 
delivering modified data to a local database. 

20 

8. A method of operating an advanced artificial intelligence module comprisiag the steps of: 
reading data being collected by a plurality data loader modules; 
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reading correlated data being transmitted from a local database to a data correlation 

modules; 

providing probability and statistical infomiation about overall system events, such events 
iucluding security, performance, and error conditions; 
5 evaluating the data to determine the existence of pattems relating to network problem 

sources; and 

loading infomiation into said local database for future comparisons. 

9. The method of claim 8, further comprising: 

1 0 receiving information from a remote database that permits said evaluation to be modified- 

10. A method of operating transmission control module comprising the steps of: 
receiving a request to collect data from a specific module; 

storing information about what procedures said specific module will use to collect the 

15 data; 

storing information about what data said specific module is requesting; 
instructing specific interfaces to obtain raw data using a module specific method; 
receiving raw data from said specific interfaces; 

processing the raw data to produce the information requested by said specific module; 
2 0 transmitting the requested information to said specific module. 

11. A method of operating a global advanced correlation module comprising the steps of: 
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collecting infomiation on performance and intrusion detection from multiple client 
networks; 

securely transmitting said information to said global advanced correlation module; 
storing said information in a database in said global advanced correlation module; 
searching said database for patterns of potential intrasion into any one of said multiple 
client networks. 

12. The method of claim 1 1, further comprising: 

conamunicating the discovery of a pattern of potential intrusion to an advauced iutelligent 

device. 

13. A method of extracting information from a network comprising: 

transferring a database object from a location at a first network to a local database on said 
first network, which local database is physically located at a second network, wherein said 
database object is a data loader module; 

connecting said first network to said second network with an interface; 

initializing said data loader module from said local database as a first software 
application in random access memory; 

transmitting a request for information from said first network to said second network? 

transmitting the requested information from said second network to said first network; 

and 

processing the received requested information within the first network; 
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loading the processed information into said local database in order to use the information. 

14. The method according to claim 13, wherein the request for information comprises the 
variables necessary to compute network component utilization, and wherein the step of . 
processing the information comprises the step of calculating network component utilization. 

15. A method of managing a network comprising: 

connecting an advanced intelligence device to an existing network; 

connecting a network operations center to said advanced intelligence device; 

channeling througji said advanced intelligence device and logging within said advanced 
inteUigence device all flows of data between said network operations center and said advanced 
inteUigence device; and 

channeling through said advanced intelUgence device and logging within said advanced 
intelligence device all flows of data between said existing network and said advanced 
intelligence device. 

16. A method of managrng a network, in accordance with claim 15, further comprising: 
correlating data from said existing network, said correlation being performed by said 

advanced intelligence device. 

17. A method of managiag a network, in accordance with claim 15, furthCT comprising: 
correlating data from said existing network, said correlation being performed by said 
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network operations center. 

18. A method of configuring the extraction of data firom an agent compromising: 

changing an agent configuration and a main database; 

transmitting and replicating this change to a local client database; 

polling said local client database with a configuration module, and detecting a change in 
the agent configuration; 

processing the change in agent configuration and passing the information to a transaction 
control module; 

setting up a newly formatted request by said transaction control module, and transmitting 
the request, to said agent; 

providing acknowledgment of the newly formatted request firom said agent to said 
transaction control module; 

passing said acknowledgment &om said transaction control module to said configuration 
module; 

updating said local client database from said configuration module; and 

replicating the acknowledgment in said local database to said main database. 
19. The method according to claim 18, wherein the step of passing said acknowledgment 
from said transaction control module to said configuration module compromises: 

passing said acknowledgment from said transaction control module to a security module; 

logging the acknowledgment within said security module; and 

passing said acknowledgment fiom said security modide to said configuration module. 
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